From: Marko Kreen <markokr@gmail.com>
Date: Fri, 11 Sep 2009 14:23:59 +0000 (+0000)
Subject: Fix potential buffer overflow when len(typname) > 32
X-Git-Tag: plproxy_2_0_9rc1~4
X-Git-Url: http://git.postgresql.org/gitweb/static/gitweb.js?a=commitdiff_plain;h=b515c6b5fafdff43e61017bc8494b4979f45d89c;p=plproxy.git

Fix potential buffer overflow when len(typname) > 32

The fixed size buffer tmp[32] was not updated when type casting was added.

Reported by Ian Sollars
---

diff --git a/src/query.c b/src/query.c
index 1deba9a..c734bf0 100644
--- a/src/query.c
+++ b/src/query.c
@@ -69,13 +69,13 @@ plproxy_query_add_const(QueryBuffer *q, const char *data)
 static void
 add_ref(StringInfo buf, int sql_idx, ProxyFunction *func, int fn_idx, bool add_type)
 {
-	char		tmp[32];
+	char		tmp[1 + 3 + 2 + NAMEDATALEN*2 + 1];
 
 	if (add_type)
-		sprintf(tmp, "$%d::%s", sql_idx + 1,
+		snprintf(tmp, sizeof(tmp), "$%d::%s", sql_idx + 1,
 				func->arg_types[fn_idx]->name);
 	else
-		sprintf(tmp, "$%d", sql_idx + 1);
+		snprintf(tmp, sizeof(tmp), "$%d", sql_idx + 1);
 	appendStringInfoString(buf, tmp);
 }